Professional Documents
Culture Documents
Reference04 Casola2016
Reference04 Casola2016
Reference04 Casola2016
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 1
Abstract—Dealing with the provisioning of Cloud services granted by Security SLAs is a very challenging research topic. At the state
of the art, the main related issues involve: (i) epresenting security so that it is understandable by both customers and providers and
measurable (by means of verifiable security-related Service Level Objectives (SLOs)), (ii) automating the provisioning of security
mechanisms able to grant desired security features (by means of a security-driven resource allocation process), and (iii) continuously
monitoring the services in order to verify the fulfillment of specified Security SLOs (by means of Cloud security monitoring solutions).
We propose to face the Security SLA life cycle management with a framework able to enrich Cloud applications with security features.
In this paper we (i) present a novel Security SLA model and (ii) illustrate a security-driven planning process adopted to determine the
(optimum) deployment of security-related software components Such process takes into account both specific implementation
constraints of the security components to deploy and customers security requirements, and enables the automatic provisioning and
configuration of all needed resources. In order to demonstrate the applicability of the approach, we present and discuss a practical
application of the model on a real case study.
Index Terms—Cloud security, Security Service Level Agreement, Optimal Resource allocation
1 I NTRODUCTION
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 2
reported in a Security SLA with a set of security mecha- enables the formal specification of security requirements
nisms offered as a service (Security-as-a-Service) and on (ii) and constraints, thus remedying to the current lack of stan-
automatically generating and implementing an allocation dards for their definition. Furthermore, we briefly discuss
plan for the actual deployment of software components the Security SLA life cycle and illustrate how it is managed
belonging the desired security mechanisms. The addressed within the SPECS project, whose activities gave inspiration
security-driven planning problem is very challenging, as to the work presented in this paper.
it must take into account not only implementation and
deployment-specific constraints of the security mechanisms
2.1 Security SLA representation
to activate depending on the security features requested by
the customer, but it also must cope with security-related A Security SLA is an agreement between a Cloud customer
constraints set by the specified Security SLOs. While some and a Cloud provider that specifies security-related terms
work exists in the literature on the allocation of resources and conditions about delivered services. In addition to the
based on Quality of Service parameters [6], no comprehen- information about involved parties and provided services, a
sive solutions to the problem of automatically providing Security SLA must include also security-related guarantees.
security based on SLAs has been proposed yet. Indeed, state Unfortunately, despite the strong interest in security and the
of art solutions devoted to the provisioning and allocation existing efforts towards standardization, a shared format
of resources [7] do not address the problem of applying for Security SLAs including the representation of security
such approaches to security mechanisms and do not take in attributes and security guarantees is not yet available.
consideration customer-defined security requirements and WS-Agreement (WSAG) [5], born in the context of GRID
related security constraints. Moreover, automatic provision- computing, is currently the only standard supporting both
ing solutions are commonly focused on optimization of a formal representation of SLAs and a protocol for their
costs and infrastructure resources usage. Such solutions automation, and has been recently widely adopted, in the
were applied mainly in the context of High Performance context of many Cloud-oriented FP7 projects (e.g., SPECS,
Computation, on GRID and on clusters of workstations, Contrail, mOSAIC, Optimis, Paasage), to represent SLAs in
and they cannot be easily reused in Cloud, since Cloud the Cloud environment. However, WSAG does not allow, by
providers (CSPs) do not provide a static pool of resources its original definition, to specify security-related attributes.
whose configuration and deployment features are known in Hence, for the purpose of automatically managing the Se-
advance. curity SLA life cycle, we introduced a Security SLA model
In order to demonstrate the feasibility and efficacy of our and a machine-readable format based on the WSAG’s XML
proposal, we present a practical applications of the planning schema and extended with all security-related information.
problem on a real case study based on the provisioning of a The Security SLA model, according to our requirement
Secure Web Container application. With respect to such case analysis, should enable the Cloud customer to specify its
study, we present the whole enforcement phase up to the own requirements through an SLA and verify evidence of
definition of an optimal plan, and discuss also how planning the grants through measurable Service Level Objectives.
anomalies may occur and may be avoided. Moreover, the SLA should be monitorable and enforceable.
The remainder of this paper is organized as follows: Sec- In the security context, these requirements may be con-
tion 2 presents the proposed Security SLA model by speci- flicting: Cloud service customers express security require-
fying the concepts of security metrics, security capabilities, ments with focus on the threats and risks, while Cloud
security mechanisms and Security SLOs, and by illustrating service providers usually express their grants in terms of
the Security SLA life cycle and introducing the approach to security mechanisms (i.e. tools and software that implement
Security-as-a-Service; Section 3 details the SLA enforcement security policies) and their configuration parameters. On
process and analyzes in details the planning problem as one hand, the Cloud service customer requirements are
seen from a security driven perspective. Section 4 presents usually hard to measure and enforce, and on the other hand,
and discusses the mathematical formulation of the proposed the Cloud service providers security details are usually far
planning model and the list of possible security constraints. from customer interest and understanding.
Section 5 presents some practical applications of the model In order to address such conflicting requirements, we
built within this paper with the presentation of a case propose a model that aims at reducing the gap between
study. Section 6 discusses related work and, finally, Section Cloud customers and providers by formalizing both declar-
7 presents the conclusions and further research directions of ative and measurable terms.
this work. The declarative terms describe the standard security con-
trols that are ensured over the services protected by the
SLA, and the SLOs (i.e. the measurable terms) are expressed
2 T HE S ECURITY SLA MODEL through metrics that are associated to the security controls
As anticipated in Section 1, in this paper we address the declared: i.e. we propose a set of SLOs and metrics that give
problem of enforcing security in the Cloud through Security evidence that the security controls are being applied.
SLAs. In particular, we are interested in illustrating how A high-level view of the proposed Security SLA model
to plan the (optimal) deployment, on Cloud resources, of is represented in the UML diagram in Figure 1, where the
software components implementing the security features extensions to WSAG to address security concepts are high-
requested by a Cloud customer. Before going into the details lighted in light gray, in white boxes we reported the WSAG
of the planning process, described in Section 3, in this concepts, while the dark gray box represents the main
Section we present a novel Security SLA representation that concept, namely the Security SLA. As shown, a Security SLA
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 3
is provided with basic information such as the agreement properties section and used to define Security
name and some context information (including the agree- Service Level Objectives (SLOs)6 in the guarantee
ment initiator and responder), plus a Terms section (cf. terms section. A metric specification includes all in-
WSAG specification). The WSAG specification defines two formation needed to identify it and to correctly process
types of terms, namely service terms and guarantee the SLOs in which it is involved, such as the metric’s
terms. Service terms provide information on the services name, its definition, its unit and scale of measurement,
to which the agreement is referred and to which guarantee and the expression used to compute its value.
terms can apply, while guarantee terms specify the service Service properties are used to define measurable
levels that the parties agree upon. and exposed properties associated with a service. In our
Service terms are further refined in service model, each service property is explicitly associated with
description terms and service property terms. a security capability (since it is used to check the enforce-
Service description terms define the functionalities that will ment of related security controls), and contains a set of
be delivered under the agreement, and are characterized variables, referring to security metrics above defined
by a term name, a service name, and a domain-specific and representing the actual parameters adopted in SLO
description of the offered/required functionalities. In order expressions.
to enrich the WSAG specification with security-related Finally, guarantee terms include the conditions that
information, we proposed a security-based domain-specific must be verified to fulfill the agreement. We adopted the
service term description, made of the following CustomServiceLevel item of the WSAG specification to
three sections: define our custom Security SLOs, identified by a SLO id, a
• service resources provider: this section de- reference to the metric involved in the SLO, and the related
scribes the available infrastructure resource providers expression, along with a weight assigned by the service
(id, name, zone, and maximum number of allowed customer and representing the related level of importance.
instances reservations, if applicable) and the avail- The proposed Security SLA model not only provides a
able appliances (i.e., virtual machines) offered by each formal and shared (among customers and providers) repre-
provider (type of appliance, HW/SW features and de- sentation of security requirements and related SLOs, but it
scription); also enables the automatic management of the Security SLA
• capabilities: this section describes the security ca- life cycle, as illustrated in the following sections.
pabilities5 offered/required on top of the services cov-
ered by the agreement. Each capability is defined as a
set of security controls belonging to a Security 2.2 Security SLA management
Control Framework, such as NIST’s Control Frame- According to current standards on Cloud SLAs (e.g., WSAG
work [2] or Cloud Security Alliance’s Cloud Control and ISO19086 [8]), the SLA life cycle [9] is characterized by
Matrix [3]; five phases, namely Negotiation, Implementation, Monitoring,
• security metrics: this section includes the specifi- Remediation and Renegotiation.
cation of the security metrics referenced in the service During the Negotiation phase, an agreement initiator en-
gages a negotiation process with an agreement responder.
5. Security capabilities are defined by NIST as combinations of
mutually-reinforcing security controls (i.e., safeguards and countermea- In the considered process, a service customer specifies his
sures) implemented by technical means (i.e., functionality in hardware,
software, and firmware), physical means (i.e., physical devices and pro- 6. Security SLOs are conditions involving proper security metrics,
tective measures), and procedural means (i.e., procedures performed by which allow to measure the level of security being delivered with a
individuals) [2]. service.
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 4
business and security requirements and, based on these, the which realize the implementation plan by actually acquiring
agreement initiator, acting on behalf of the service provider, the needed resources and by deploying and configuring
prepares a SLA Offer. Note that SLA Offers may be built proper components. At the same time, proper monitoring
based on proper SLA Templates, which help define the components are configured and activated.
admissible agreement requests and responses. The offer is Let us consider a simple example. With SPECS, we can
then submitted to the agreement responder, representing the choose different Control Frameworks coded in the SLA and
service customer, who may accept it or not, thus giving rise provide different security mechanisms to enforce required
to a possibly iterative process. Negotiation typically ends security controls. In a world without SPECS, if we consider
with the formal acceptance of an SLA by both parties (often a ”continuous scan of vulnerabilities” requirement and we
referred to as the signature of the SLA), and is followed by adopt the NIST SP800-53r4 on ”Security and Privacy Con-
the enforcement phase. trols for Federal Information Systems and Organizations” as
During Implementation, not only the provider provisions a guideline for assessing and coding the Security Control
and operates the Cloud service, but it also sets up and Framework, a security administrator can verify that the
provides the customer with the processes needed for the NIST prescribes the adoption of the RA-5 control (namely
management and monitoring of the Cloud service itself. Security Scanning), which imposes to adopt tools that con-
After implementation, the Monitoring phase takes place, tinuously scans for vulnerabilities and (with ”enhanced con-
in which the Cloud services covered by the SLA are moni- trols 1 and 2”) imposes the frequency for maintaining such
tored in order to enable both the provider and the customer tools updated to the latest discovered vulnerabilities db.
to verify the observance of the SLA terms (i.e., Security With SPECS, we can automatically build and implement
SLOs). a feasible SLA Offer offering this requirement (expressed
Finally, Remediation takes place when the provider has with a SLO). A security mechanism, that implements the
to react to events in order to repair an SLA violation (or prescribed security control, must be available (as a ser-
to prevent such a violation) and Renegotiation takes place vice), it supports metrics to implement and monitor desired
if one of the two parties aims at changing the agreement Service Level Objective and grant that the vulnerability
terms, before SLA termination. list is updated with a given frequency (this feature is
Security SLA life cycle management is the core topic supported by many common tools, like OpenVAS). The
of the FP7-ICT programme project SPECS [10], [11], whose security mechanism, that provides this security control, is
main objective is to provide an open source framework to configured to automatically download the vulnerability list
easily build applications that offer services covered by Secu- and update the scanning tools. If the SLA is violated, as
rity SLAs. In particular, the SPECS framework is intended an example the vulnerability list cannot be downloaded in
to enhance the offers of existing providers by automatically time, a remediation action takes place, changing the source
activating, in an as-a-service fashion, the security mecha- of vulnerability list or (in the worst case) notifying that the
nisms that implement the security capabilities negotiated system is no more secure, the SLA cannot be sustained
by Cloud customers. The SPECS framework is composed of and notifying it to the customer. The SPECS framework
three main modules, namely the Negotiation module, which enables to automatically enforce security policies according
manages the Negotiation and Renegotiation phases, the to standard security policies and security best practices by
Enforcement module, responsible of the actions associated mapping the user security requirements with a Security
to Implementation and Remediation, and the Monitoring SLA that is automatically implemented and offers security
module, which manages the respective phase. Within the controls, guaranteed over time, even if security incidents,
Enforcement module, the software components that offer that may potentially affect the signed SLA, occurr.
security services for the implementation of specific security The work reported in this paper is focused on the au-
mechanisms are hosted. The SPECS application orchestrates tomatic building of valid SLA Offers and on the definition
the services offered by the three main modules. In particular, of the implementation plan. In particular, we address the
the application workflow, which relies upon the proposed enforcement of a Security SLA from the point of view of the
Security SLA model is as follows. A service customer planning activity aimed at identifying the optimal deploy-
specifies, through the Application’s interface, the desired ment of components implementing the requested security
(target) service features and the security capabilities that requirements. Such planning activity has a twofold objec-
he is willing to obtain with the service, among those avail- tive: it is fundamental during SLA Negotiation, in order
able. Moreover, for each selected capability, the customer to verify the existence of a feasible solution to customer’s
also specifies related Security SLOs. Based on customer’s requests, and it is essential during SLA Implementation,
requirements, a set of compliant SLA Offers is identified in order to automatically deploy security mechanisms and
and their feasibility is verified, by taking into account both have them up and running as agreed in the SLA.
the constraints set by the implementation of security mech-
anisms and the Security SLOs defined by the customer. This
phase involves the building of an implementation plan, aimed 3 T HE SLA ENFORCEMENT PROCESS
at determining the resources to acquire and at identifying With respect to the life cycle described in the previous
how to distribute (if possible) needed software components section, in this section we focus on the Enforcement phase
on such resources in order to provide the requested security and in particular on one specific process orchestrated by the
features. Upon acceptance, the agreed terms are included in SPECS Enforcement module, namely the planning process,
a Security SLA that is finally signed. Afterward, the agree- which is the essential step for both SLA Negotiation and
ment is implemented through the Enforcement services, SLA Implementation.
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 5
As shown in Figure 2, the SLA Negotiation phase starts source provider can be evaluated using a security evaluation
when a Cloud customer specifies the business and security methodology, such as REM [12], AHP [13] or QHP [14].
features of the desired service. In order to help the customer The Cloud customer has the opportunity to select the de-
express his requirements, a Security SLA Template is made sired SLA Offer and to sign it. The signed SLA is forwarded
available, containing the available choices for the customer to the Planning component (Step 5), which builds the im-
(security capabilities, security metrics, SLOs, etc.). More in plementation plan (Step 5.1). This step entails transforming
general, security requirements may be specified step by the signed SLA into a configuration file, later forwarded to
step in an interactive process, in such a way to gradually the Implementation component (Step 6) to set and start the
achieve a Security SLA Template compliant with the model services specified in the implementation plan.
discussed in Section 2.1, which contains all and only the
terms of interest for the customer.
The resulting Security SLA Template, including capa-
bilities and associated controls, security metrics and SLOs,
is forwarded to the Planning component (provided by the
Enforcement module in the SPECS framework) (Step 2),
which is in charge of evaluating its feasibility, building
the plan(s) that will be later used for implementation, and
preparing a set of SLA Offers.
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 6
a feasible and optimal allocation plan that includes an that is actually needed to implement the Security SLA, and
available resource provider (e.g. Amazon EC2) and all the then it has to retrieve and customize the set of constraints
settings for physical allocation of needed components on a related to them. In fact, as discussed more in details in
minimal number of resource. Section 4, the choice of components to deploy and the actual
Figure 4 describes the security-driven planning process definition of constraints to take into account in the planning
for building a list of SLA Offers. The process comprises three process, are both dependent on expressed Security SLOs.
steps: (i) preparation of a possible list of SLA Offers, (ii) Finally, according to the resource declaration section of
invocation of the solver to build plans and validate the list the Security SLA (for each CSP and each type of virtual
of SLA Offers, (iii) preparation of the list of feasible SLA appliance offered by the CSP) and according to the final sets
Offers. of components and constraints, the Planning components
has to solve the planning problem to build feasible plans
(see Figure 5), i.e., it has to determine:
• the number of instances of each component,
• the number of resources needed to deploy all needed
components,
Fig. 4. Building SLA Offers: the process • the distribution of components over all resources.
The final set of components and their allocation is then
stored into the Planning component and associated to the
In particular, the Planning component generates a possi-
generated SLA Offer. SLA Offers that does not have a
ble SLA Offer on the basis of information specified by the
solution using the planner are removed from the SLA Offers
customer in the SLA Template, i.e. the available resource
list.
providers and the desired security capabilities. The Plan-
ning component generates a possible SLA Offer for each
resource provider available, then selects the set of mech-
anisms able to enforce the security metrics and capabilities
that are declared in the SLA Template. In case when multiple
security mechanisms cover the requested capabilities and
metric, multiple possible SLA Offers will be generated. For
each possible SLA Offer, the Planning component’s Solver
generates a plan that takes into account the amount of
resources needed to enforce the selected security mecha-
nisms, the constraints that mechanisms impose for their
implementation and the SLOs. If the Solver is not able to
generate a plan, the SLA Offer is discarded from the final
list. Finally, the list of feasible SLA Offers is returned back
to the customer that can choose and sign it for effective
implementation.
The problem of building plans associated to security
SLA Offers is very challenging, not just because we need
to consider limitations of resources (e.g., maximal load on
each virtual machine), but because we need to take into
account constraints related to security mechanisms (e.g., Fig. 5. Planning problem - Solver’s input and output
dependencies or incompatibilities among components) and
to measurable and granteed SLOs. Providing Security SLAs in the Cloud and automatically
Each security mechanism consists of a set of components, building implementation plans for securing Cloud services
which belong to two main categories: is, at the state of the art, a problem that does not have
• security components enforce security capabilities speci- a known and applicable solution in the literature. At the
fied in a Security SLA. best of our knowledge, the majority of approaches is only
• monitoring components observe configured services in partially automated and still based on security administra-
order to guarantee the fulfillment of a Security SLA. tors following security best practices and security policies
The list of components belonging to a mechanism, along to select, implement and audit security controls. According
with related configuration parameters, is included in the to the proposed approach we faced this problem by the
mechanism’s metadata, provided by the mechanism’s de- definition of a clear and simple process that completely
veloper. In addition to this, a mechanism’s metadata also enables the automation of the selection of security controls
includes other information, such as the resource consump- and mechanisms to measure, monitor and guarantee them.
tion features of related components, the possible constraints The approach includes a problem of automatic mechanism
specified by the mechanism’s developer involving depen- selection, i.e. automatic enforcement of standard security
dencies and incompatibilities among components, and some policies (SLA Offers preparation) and a planning problem
deployment rules (for details see Section 4.3.2). (generation of feasible SLA Offers), i.e., the optimal allo-
For each security mechanism, the Planning component cation of software components to resources that will be
has to identify the subset of related software components illustrated in details in the next sections.
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 7
4 P LANNING PROBLEM STATEMENT their resource consumption features (e.g., required RAM or
All the constraints considered in our model can be expressed CPU) and the set of constraints that have been specified
in a linear way. Since our goal is to find the minimum by the mechanism’s developer related to their deployment
number of resources to acquire to implement an SLA, the (cf. Section 4.3). Note that, given a certain security mech-
best suited approach to solving the planning problem (from anism to enforce, depending on the specified metrics and
the constraints, optimization function, and also read com- on related SLOs, only a subset of the mechanism’s declared
plexity and flexibility point of view) is to use Integer Linear components may be selected for actual deployment. These
Programming (ILP). components constitute the input set C̄ above defined. Each
In the following, we illustrate the formulation of the component ci ∈ C̄ is assigned a computational load li
planning problem. We show how the Planning component based on resource consumption features included in the
uses information about available resources, information metadata. This information is easily obtained by properly
about the limitations of the infrastructure, constraints re- testing components in different load conditions.
lated to the set of mechanisms to deploy, and then dynami- From the resource declaration section of the SLA Tem-
cally builds the ILP model, i.e., prepares the input and finds plate, the Planning component is able to extract available
the optimal solution for a SLA Offer. providers, zones and HW features of the available vir-
In order to solve the planning problem, the Planning tual appliances. Moreover, we assume that the maximum
component uses a Solver, a component able to process number of machines that can be acquired by a user from
all requirements and all infrastructure constraints, and to each provider is also known (e.g., Amazon EC2 poses a
identify the optimal solution. limit of 20 instance reservations per Availability Zone, per
Note that, due to some constraints, it may happen that month 7 ). As an alternative, the maximum number of virtual
the Solver is not able to find any solution to the planning machines can be computed based on the maximum cost
problem. As we mentioned earlier, that would mean that that the customer is willing to pay. For each provider and
the SLA offer cannot be enforced and will not be proposed virtual appliance type, the Planning component builds the
to customer for signature. set V M of available virtual machines and computes the
An extensive use case that outlines all planning steps optimal allocation of components in C̄ on resources in
mentioned in this Section, and presenting our approach to V M . All virtual machines of V M are characterized by a
the automatic enforcement of security SLAs, is provided in maximum allowed load V M Lmax, computed based on the
Section 5. HW features declared in the SLA Template.
In particular, our formulation is aimed at minimizing the
number of virtual machines to acquire. Given the simplicity 4.2 Output variables and objective function
of the model and the limited size of real-world problems, As anticipated, we are interested in determining the (min-
it is possible to apply exact algorithms such as the Simplex imum) number of machines to acquire from the provider,
algorithm, which always returns optimum solutions if they such that all components in C̄ are deployed on at least one
exist. In our case study, we will adopt Xpress Optimization virtual machine belonging to V M . We have two main sets of
Suite that validates the approach, guarantees the feasibility output variables, representing respectively the acquisition
of the SLA and does not introduce a big computation of virtual machines and the allocation of components on
overhead. In general, a more complex but more efficient virtual machines:
algorithms (e.g., based on heuristics) may be considered to
cope with bigger problems.
In the following subsections, we discuss and provide the 1, if ci is deployed on machine mj ,
xij =
mathematical formulation for the main input variables of 0, otherwise,
the model, the output variables, the objective function and
i = 1, 2, · · · , N, j = 1, 2, · · · , M , and
the constraints.
1, if mi is acquired,
yi =
4.1 Input variables: components and virtual machines 0, otherwise
The planning model has two main inputs, namely N soft- i = 1, 2, · · · , M .
ware components to deploy C̄ = c1 , · · · , cN and M avail- The objective function aims at minimizing the number of
able virtual machines V M = m1 , · · · , mM . As previously acquired virtual machines and can be formalized as follows:
said, this information is retrieved by the Planning com-
ponent from the analysis of the SLA Template: software M
X
components to install, along with their configurations, are min yi (1)
identified based on the selected capabilities and on the i=1
specified SLOs, while virtual machines-related information
is obtained from the resource declaration section of the SLA 4.3 Model constraints
Template. The allocation of components belonging to different mecha-
In particular, for each declared capability, the Planning nisms to virtual machines is subject to various constraints. In
component retrieves the corresponding security mechanism addition to general constraints, which are always considered
and related metadata. The metadata contains the list of all in the model and are related to basic allocation rules, it is
software components belonging to the mechanism along
with their configuration parameters, some information on 7. http://docs.aws.amazon.com/general/latest/gr/aws service limits.html
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 8
possible to identify a set of specific constraints defined by the components ci ∈ Ĉ (note that, by assumption, cα
mechanisms’ developers, which regulate the deployment and Ĉ belong to the same mechanism).
of components based on well-defined intra-mechanism and
inter-mechanism rules and on the values of specific metrics. xαj + xij ≤ 1,
While preparing the input for the model, the Planning ^
component retrieves the metadata associated with each ∀i = 1, 2, · · · , N : i 6= α ci ∈ Ĉ, (SC1a)
mechanism to enforce, and dynamically builds the planning ∀j = 1, 2, · · · , M
model by properly adding specific constraints at runtime.
In the following, we discuss both general and specific con- – SC1b. Full incompatibility/exclusive use: component cα
straints and provide a mathematical formulation for each of needs exclusive use of a machine. Note that this is
them. a particular case of SC1a and can be written in the
same way considering Ĉ = C̄ − cα .
4.3.1 General constraints • SC2. Number of instances. Such constraints refer to
the number of instances of components to deploy. The
We identified the following general constraints:
number of instances is defined through an expression
• GC1. Each component ci must be allocated to at least that includes an operator and a set of up to two values.
one machine. This class can be further divided into three subclasses:
M – SC2a. Number of instances of a component: the number
of instances of component cα must comply with an
X
xij ≥ 1, ∀i = 1, 2, · · · , N (GC1)
j=1
expression. The allowed expressions are summarized
in Table 1.
• GC2. The maximum allowed load V M Lmax on each
acquired machine cannot be exceeded. TABLE 1
SC2 allowed expressions
N
X Operator value1 value2
xij ∗ li ≤ V M Lmax, ∀j = 1, 2, · · · , M (GC2) = n -
i=1 ≥ n -
≤ n -
• GC3. A component ci can be allocated to virtual ma-
in n1 n2
chine mj only if mj is acquired.
In the following, the related mathematical formula-
xij ≤ yj , ∀i = 1, 2, · · · , N , ∀j = 1, 2, · · · , M tions are listed.
(GC3) M
X
xαj = n (SC2a-1)
4.3.2 Mechanism-specific constraints j=1
As anticipated, further constraints may apply to mecha- M
nisms or to components depending on their specific fea-
X
xαj ≥ n (SC2a-2)
tures. We assume that such constraints are set by mech- j=1
anisms’ developers, who may not be aware of the other
M
implemented mechanisms and their components. As a con- X
sequence, we consider either intra-mechanism constraints xαj ≤ n (SC2a-3)
j=1
that express rules on the joint deployment of specific compo-
nents belonging to the same mechanism, or inter-mechanism M
X
constraints, which express general rules that only indirectly n1 ≤ xαj ≤ n2 (SC2a-4)
involve components from different mechanisms. j=1
Mechanism-specific constraints can be divided into – SC2b. Number of instances of a set of components: the
classes, by grouping together constraints of the same type. total amount of instances of components ci ∈ Ĉ must
We identified four main classes and, within each class, comply with an expression as defined in Table 1.
we also identified subclasses of constraints that can be Although this constraint includes the previous one,
expressed with similar mathematical formulations. This is we decided to consider them separately in favour of
particularly useful in order to define a syntax for the rep- the clarity of the case study, shown in Section 5. The
resentation of mechanism-specific constraints to include in related mathematical formulations are listed in the
the mechanisms’ metadata, as we will show in Section 4.3.3. following.
• SC1. Incompatibility. Such constraints express a con-
M
dition of incompatibility among components, which X
implies that the involved components cannot be de- xij = n (SC2b-1)
ployed on the same machine. This class can be further i:ci ∈Ĉ,j=1
specialized into two subclasses: M
X
– SC1a. Simple incompatibility: component cα cannot be xij ≥ n (SC2b-2)
allocated to a machine together with a set of other i:ci ∈Ĉ,j=1
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 9
M
X M
X M
X
xij ≤ n (SC2b-3) xαj ≤ xβj (SC4-3)
i:ci ∈Ĉ,j=1 j=1 j=1
M M
X M
X
xαj = 1 + f loor(1/n ∗ xβj )
X
n1 ≤ xij ≤ n2 (SC2b-4) (SC4-4)
j=1 j=1
i:ci ∈Ĉ,j=1
Note that avoiding conflicts among constraints belong-
– SC2c. Full deployment of a component: cα must be
ing to the same mechanism is up to the mechanism’s
installed on each acquired machine.
developer. Nevertheless, conflicts may still appear among
Clearly, such constraint must take into account possi-
constraints of different mechanisms. Consider for instance
ble incompatibilities with other components in order
the following situation: an SC1b (full incompatibility) con-
to make the problem feasible and solvable. Therefore,
straint has been defined for component cα of mechanism
the developer must also indicate the set of compo-
sm1 , while an SC2c (full deployment) constraint has been
nents ci ∈ Ĉ that are incompatible with cα . The
set for component cβ of mechanism sm2 . Clearly, if such
resulting mathematical formulation is as follows:
constraints were included in the model without any mod-
X ification, the solver would not find any feasible solution.
xαj + xij = yj , ∀j = 1, 2, · · · , M In order to avoid this situation, the Planning component
(SC2c)
i:ci ∈Ĉ recognizes that two constraints of type SC1b and SC2c
respectively have been specified, and automatically rewrites
This formulation states that, if cα must be allocated constraint SC2c by including cα in the set Ĉ of components
on all acquired machines but it is incompatible with that are incompatible with cβ . An example of this will be
cβ (since, for example, an SC1b constraint has been shown in Section 5.
defined for it), then if machine mj is acquired (i.e.,
yj = 1), exactly one component between cα and cβ 4.3.3 A syntax for mechanism-specific constraints
will be deployed on mj .
A security mechanism developer must be provided with
• SC3. Minimum number of machines. Such constraint a clear and simple syntax to define specific constraints for
expresses the need for a minimum number n ≤ M of his mechanisms based on the classes above discussed. The
machines and may be explicitly introduced by a SLO. constraints specified by the developer will be included in
The formulation of this constraint is as follows: the mechanism’s metadata along with configuration param-
M
X eters and other information needed to run the mechanism.
yi ≥ n (SC3) Constraints and metadata in general may be specified in
i=1 several formats, based, for example, on the popular XML
and JSON technologies. In the SPECS project and in this
• SC4. Dependency. The number of instances of a com-
paper we adopt the JSON format as it is a lightweight data-
ponent cα depends on the number of instances of a
interchange format that is language-independent, easy to
component cβ according to an expression. The allowed
read and write for humans, and easy to parse and generate
expressions are summarized in Table 2.
for machines.
The JSON schema for mechanism-specific constraints
TABLE 2 is reported in Listing 1. The schema includes the id of
SC4 allowed expressions
the involved class or subclass of constraints (ctype), two
Operator value possible arguments (arg1 and arg2), an operator (op), and
= - two integer values (v1 and v2). The arguments may include
≥ - either the (integer) id of a component or the list of ids of
≤ - a set of components depending on the specific constraint
* n class/subclass, while the operator is one of those defined
in tables 1 and 2. Table 3 illustrates how to fill the JSON
While the meaning of the first three expressions is schema for each of the constraint classes defined in Section
straightforward, it is worth spending some words on 4.3. Given this mapping, a developer can add constraints to
the last one: this last expression is used to state that mechanisms’ metadata in a very easy way.
every n instances of cβ there must be one further
instance of component cα (at least one instance of cα
must be present). The mathematical formulation of this
class of constraints is as follows.
M
X M
X
xαj = xβj (SC4-1)
j=1 j=1
M
X M
X
xαj ≥ xβj (SC4-2)
j=1 j=1
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 10
Listing 1. JSON schema for mechanism-specific constraints which represent the guarantee terms that the customer and
{ the CSP agree upon. In our case study, two metrics related to
{
"ctype": "string",
the Web Resilience capability are considered, namely Level
"arg1": { "type": "array", of Redundancy (LoR) and Level of Diversity (LoD).
"items": { The former represents the number of replicas of the web
"type": "integer" container that are set-up and kept active throughout the
},
}, service operation to ensure redundancy, while the latter is
"arg2": { the number of different software and/or hardware versions
"type": "array", of the web container service that are set-up and kept active
"items": {
throughout the service operation to increase the protection
"type": "integer"
}, from attacks and vulnerabilities exploits. Note that LoR and
}, LoD are both metrics, which can be easily checked by verify-
"op":"string", ing the number of active replicas, and enforcement parame-
"v1":"integer",
"v2":"integer", ters, used to actually configure the WebContainerPool mech-
}, anism in order to achieve the desired resiliency. Regarding
"required":["ctype"] the Intrusion Detection capability, the Report Generation
} Frequency (RGF) metric is considered. This metric spec-
ifies the frequency (in hours) of generation of intrusion
detection reports, and is actually used as a configuration
TABLE 3
Mechanism-specific constraints parameter when building the implementation plan. In our
case study, during negotiation, the customer selects LoR=3
ctype arg1 arg2 op v1 v2 and LoD=2 and specifies RGF=2. These SLOs are included
SC1a cα ci ∈ Ĉ - - - in the SLA Template, which is passed to the Enforcement
SC1b cα - - - - module to prepare SLA Offers. The Enforcement module
SC2a-1 cα - = n - retrieves the mechanisms associated with the selected capa-
SC2a-2 cα - ≥ n - bilities along with their metadata and instantiates the model
SC2a-3 cα - ≤ n -
SC2a-4 cα - in n1 n2
discussed in section 4 by identifying the input and output
SC2b-1 ci ∈ Ĉ - = n - variables and the specific constraints to include (see next
SC2b-2 ci ∈ Ĉ - ≥ n - subsections).
SC2b-3 ci ∈ Ĉ - ≤ n -
SC2b-4 ci ∈ Ĉ - in n1 n2
SC2c cα ci ∈ Ĉ - - - 5.1 Model input and output variables
SC3 - - - n -
SC4-1 cα cβ = - - The first input to the model is represented by the set of
SC4-2 cα cβ ≥ - - components that must be deployed. The WebContainerPool
SC4-3 cα cβ > - -
SC4-4 cα cβ ∗ n -
mechanism is implemented by a set of different web con-
tainer components and a Balancer, which is responsible for
dispatching web requests to the active web containers to
ensure load balancing. Since the customer requested LoD=2,
5 A WEB CONTAINER CASE STUDY only two different web container components are selected,
In order to illustrate the introduced approach, in this section namely Apache and Nginx. For what regards the WebIn-
we discuss a case study involving the provisioning of a se- trusionDetection mechanism, two components are involved,
cure web container service (cf. Figure 6). The web container namely an IDSAgent, to be installed on the resources to
service is offered without security guarantees by a CSP, protect, and an IDSServer, which collects data gathered by
while the security capabilities specified by the customer the IDSAgents and performs the detection activities.
during negotiation are provided, in an as-a-service fashion, Overall, we have N = 5 components:
by the SPECS framework. In our case study in particular, the
customer is interested in acquiring a web container service C̄ = {Balancer, Apache, N ginx,
provided with the following security capabilities: (2)
IDSServer, IDSAgent}
• resilience to attacks and failures by means of the intro-
duction of redundancy and diversity techniques, and Regarding virtual machines, let us assume that the se-
• protection from unauthorized and potentially danger- lected provider allows to acquire M = 20 machines at most.
ous accesses, by means of the integration of proper Therefore, we have a set of 100 variables xi,j representing
intrusion detection tools. the allocation of components to machines plus a set of 20
Such security capabilities, named respectively Web Re- variables yi to express the acquisition of virtual machines.
silience and Intrusion Detection, are implemented through Note that, although the size of the problem is pretty big,
proper software mechanisms offered as part of the SPECS linear programming tools are able to provide a solution
Enforcement module, namely WebContainerPool and WebIn- quite easily for this kind of models.
trusionDetection. Related to each capability and more pre- Finally, as for components’ costs and machines’ capac-
cisely to the included security controls, proper security met- ities in terms of computational load, let us assume that
rics can be selected by the customer to define Security SLOs, li = 1 ∀i = 1, 2, · · · , N and that V M Lmax = 10.
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 11
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 12
Table 5 shows the representation of such constraints in formulations for automatic processing may result more or
the reference syntax. less complicated depending on the related syntax. In order
to conclude the case study discussion with some experimen-
TABLE 5 tal results, we translated the analytical model to the Mosel
WebIntrusionDetection-specific constraints: syntax language 8 and processed it with the Xpress Optimization
Suite 9 , a commercial product for analytical optimization
ctype arg1 arg2 op v1 v2 that provides an educational release, adopted to conduct
SC1b IDSServer - - - - the experiments for this paper. Translation is quite straight-
SC2c IDSAgent IDSServer - - -
SC4-4 IDSServer IDSAgent ∗ 10 - forward and can be easily accomplished through a parser.
We run the model, consisting of 120 variables and 289
constraints, and obtained that 5 machines must be acquired
and components must be allocated as indicated in Table 6.
5.3 The Secure Web Container planning model
In the following, the complete planning model for our case TABLE 6
study is reported. Planning problem solution
20
X VM Components
min yi (objective function) 1 Apache, IDSAgent
i=1 2 Nginx, IDSAgent
s.t. 3 IDSServer
20
X 4 Balancer, IDSAgent
xij , ≥ 1 ∀i = 1, 2, · · · , 5 (GC1) 5 Apache, IDSAgent
j=1
Since a solution has been found, the Planning component
5
X builds an SLA Offer containing all capabilities and SLOs
xij ∗ 1 ≤ 10, ∀j = 1, 2, · · · , 20 (GC2)
specified by the customer during negotiation and submits it
i=1
to the customer for the signature. Later on, during the Im-
xij ≤ yj , ∀i = 1, 2, · · · , 5, ∀j = 1, 2, · · · , 20 (GC3) plementation phase, results produced by the solver will be
used to actually implement the plan and install components
x1j + xij ≤ 1, ∀i ∈ [2, 3], ∀j = 1, 2, · · · , 20 (SC1a)
on machines.
x2j + x3j ≤ 1, ∀j = 1, 2, · · · , 20 (SC1a) Let us consider a slightly different formulation of the
20
problem. Assume that constraint number 1 (“The Balancer
X component cannot be deployed on the same machine where
x1j = 1, (SC2a-1)
any of components {Apache, Nginx} reside”) of WebCon-
j=1
tainerPool mechanism is changed to: “Balancer components
20
X need exclusive use of machines” (SC1b). If the related
xij ≥ 3, (SC2b-2) model formulation was given in input to the solver, no
i:i∈[2,3],j=1 feasible solutions would be found, since the new intro-
20 duced constraint conflicts with constraint number 2 (“One
X
yi ≥ 4, (SC3) component IDSAgent must be allocated on every acquired
i=1 machine except where an IDSServer is installed”) of WebIn-
trusionDetection mechanism. In order to cope with this issue,
x4j + xij = 0, ∀i ∈ [1, 2, 3, 5], ∀j = 1, 2, · · · , 20 the Planning component always checks for the existence of
(SC1b) potentially conflicting constraints (in our case, SC1b and
x5j + x4j = yj , ∀j = 1, 2, · · · , 20 (SC2c) SC2c) and, in case of a conflict, it reformulates the less
20
X 20
X strict one, which in this case is the SC2c constraint set
x4j = 1 + f loor(1/10 ∗ x5j ), (SC4-4) on WebIntrusionDetection. In particular, such constraint is
j=1 j=1 updated to: “One component IDSAgent must be allocated
on every acquired machine except where an IDSServer or a
xij ∈ {0, 1}, i = 1, 2, · · · , 5, j = 1, 2, · · · , 20 Balancer are installed”, which corresponds to the following
yi ∈ {0, 1}, i = 1, 2, · · · , 20 formulation:
(bin. variables)
As discussed, this model is passed to an automatic x5j + x4j + x1j = yj , ∀j = 1, 2, · · · , 20 (SC2c)
solver running within the Planning component. Several
open source software libraries exist that allow to build and Such an updated planning model is then provided to the
solve linear programming models in a programmatic way, solver, which returns the results reported in Table 7.
and the implementation of a solver module that adopts such As a final remark, let us briefly discuss what happens
libraries within the Planning component is devised in the when no feasible solutions are found. As a simple example,
SPECS project and is part of the work in progress activities.
8. http://www.fico.com/en/wp-content/secure upload/Xpress-
Clearly, the final representation of the model is strictly Mosel-Libraries.pdf
dependent on the library selected for its implementation 9. http://www.fico.com/en/products/fico-xpress-optimization-
and solution, and the translation of model’s mathematical suite
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 13
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2016.2540630, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING - SPECIAL ISSUE ON SECURITY AND DEPENDABILITY OF CLOUD SYSTEMS AND SERVICES, VOL. , NO. , SEPTEMBER 14
1939-1374 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.